Add an eval expression attribute

You can add an eval expression attribute to any object in your data model. This attribute type uses eval expressions to create fields that can be added to events in your object dataset, in a manner similar to that of calculated fields.

1. In the Data Model Editor, open the object that you would like to add an attribute to.

The Eval Expression text area should just contain the <eval-expression> portion of the eval syntax. There's no need to type the full syntax used in Search (eval <eval-field>=<eval-expression>).

4. Under Attribute enter the attribute Field Name and Display Name.

The Field Name is the name of the attribute in your object data. The Display Name is the attribute name that your Pivot users see when they create pivots. Note: The Field Name cannot include whitespace, single quotes, double quotes, curly braces, or asterisks. The attribute Display Name cannot contain asterisks.

5. Define the attribute Type and set its Flag.

For more information about the Flag values, see the subsection on marking attributes as hidden or required in "Define object attributes," in this manual.

6. (Optional) Click Preview to verify that the eval expression is working as expected.

You should see events in table format with the new eval attribute(s) included as columns. For example, if you're working with an event-based object and you've added an eval attribute named gb, the preview event table should show a column labeled gb to the right of the first column (_time).

The preview pane has two tabs. Events is the default tab. It presents the events in table format. The new eval attribute should appear to the right of the first column (the _time column).

If you do not see values in this column, or you see the same value repeated in the events at the top of the list, it could mean that more values appear later in the sample. Select the Values tab to review the distribution of eval attribute values among the selected event sample. You can also change the Sample value to increase the number of events in the preview sample--this can sometimes uncover especially rare values of the field created by the eval expression.

In the example below, the three real-time searches only appeared in the value distribution when Sample was expanded from First 1,000 events to First 10,000 events.

For more information about the eval command and the formatting of eval expressions, see the eval page as well as the topic "Evaluation functions" in the Search Reference.

Eval expressions can utilize attributes that have already been defined or calculated, which means you can chain attributes together. Attributes are processed in the order that they are listed from top to bottom. This means that you must place prerequisite attributes above the eval expression attribute that uses those attributes in its eval expression. In other words, if you have a calculation B that depends on another calculation A, make sure that calculation A comes before calculation B in the attribute order. For more information see the subsection on attribute order and chaining in "Define object attributes", in this manual.

You can use attributes of any type in an eval expression attribute definition. For example, you could create an eval expression attribute that uses an auto-extracted attribute and another eval expression attribute in its eval expression. It will work as long as those attributes are listed above the one you're creating.

When you create an eval expression attribute that uses the values of other attributes in its definition, you can optionally "hide" those other attributes by setting their Flag to Hidden. This ensures that only the final eval expression value is available to your Pivot users.

Comments

Enter your email address, and someone from the documentation team will respond to you:

Send me a copy of this feedback

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »